<html>
<head><meta charset="utf-8"><title>crate_source_code · general · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/index.html">general</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html">crate_source_code</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="220256316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220256316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220256316">(Dec 17 2020 at 15:22)</a>:</h4>
<p>Hi, I have build an app in Rust at work and as part of the compliance checks that my company is doing before using the app in production, I need to provide links to the source code for each of the dependencies that I use. However I noticed that there doesn't seem to be a way to get a link to the source code for a specific crate version in <a href="http://crates.io">crates.io</a>. How do I do this?</p>
<p>Thanks</p>



<a name="220256434"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220256434" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lqd <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220256434">(Dec 17 2020 at 15:23)</a>:</h4>
<p>with a script like <a href="https://gist.github.com/lqd/4a8af10389d10840d90655c109df5eac">https://gist.github.com/lqd/4a8af10389d10840d90655c109df5eac</a></p>



<a name="220256582"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220256582" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lqd <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220256582">(Dec 17 2020 at 15:24)</a>:</h4>
<p>which downloads the source from the <a href="http://crates.io">crates.io</a> URL</p>



<a name="220257107"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257107" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257107">(Dec 17 2020 at 15:28)</a>:</h4>
<p>the problem is that the compliance tool expects a link to the source code not the a tgz or zip file. For other languages we provide the link to github release (e.g. for go) or link to pypi for pthon dependencies. Rust seem to be only language that has a source code central repo but does not provide a direct link to it.</p>



<a name="220257248"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257248" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257248">(Dec 17 2020 at 15:29)</a>:</h4>
<p><a href="http://docs.rs">docs.rs</a> hosts the crate source code too</p>



<a name="220257286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257286">(Dec 17 2020 at 15:29)</a>:</h4>
<p>doesn't seem like the best solution though</p>



<a name="220257491"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257491" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257491">(Dec 17 2020 at 15:30)</a>:</h4>
<p>is it guaranteed that <a href="http://docs.rs">docs.rs</a> and <a href="http://crates.io">crates.io</a> have exactly the same source code? If I remember correctly <a href="http://docs.rs">docs.rs</a> was not owned by rust-org?</p>



<a name="220257526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257526">(Dec 17 2020 at 15:31)</a>:</h4>
<p>It is owned by the rust-org now.</p>



<a name="220257949"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220257949" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220257949">(Dec 17 2020 at 15:33)</a>:</h4>
<p>ok, thank you. I will try to use the <a href="http://docs.rs">docs.rs</a> link and see if that is acceptable</p>



<a name="220261580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220261580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220261580">(Dec 17 2020 at 15:58)</a>:</h4>
<p>checking the script <span class="user-mention" data-user-id="116113">@lqd</span> mentioned, I can actually get a link to the source code from <a href="http://crates.io">crates.io</a> like this: <a href="https://crates.io/api/v1/crates/serde_json/1.0.60/download">https://crates.io/api/v1/crates/serde_json/1.0.60/download</a> which I think it's exactly what I need</p>
<p>thanks <span class="user-mention" data-user-id="116113">@lqd</span></p>



<a name="220261845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220261845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220261845">(Dec 17 2020 at 16:00)</a>:</h4>
<p>the next question I have is if the crates in <a href="http://crates.io">crates.io</a> are allowed to use dependencies from e.g github or private crates repos?</p>



<a name="220262036"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262036" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262036">(Dec 17 2020 at 16:01)</a>:</h4>
<p>I don't think so, no</p>



<a name="220262112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262112">(Dec 17 2020 at 16:02)</a>:</h4>
<p>And they're also not allowed to have wildcard dependencies (<code>version = "*"</code>)</p>



<a name="220262278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262278">(Dec 17 2020 at 16:03)</a>:</h4>
<p>ok, so basically it's guaranteed that all source code comes from <a href="http://crates.io">crates.io</a></p>



<a name="220262437"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262437" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262437">(Dec 17 2020 at 16:04)</a>:</h4>
<p>Yes.</p>



<a name="220262514"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262514" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262514">(Dec 17 2020 at 16:05)</a>:</h4>
<p>great! thanks everyone!</p>



<a name="220262576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262576">(Dec 17 2020 at 16:05)</a>:</h4>
<p><span class="user-mention silent" data-user-id="363601">Maximilian Hristache</span> <a href="#narrow/stream/122651-general/topic/crate_source_code/near/220257491">said</a>:</p>
<blockquote>
<p>is it guaranteed that <a href="http://docs.rs">docs.rs</a> and <a href="http://crates.io">crates.io</a> have exactly the same source code? If I remember correctly <a href="http://docs.rs">docs.rs</a> was not owned by rust-org?</p>
</blockquote>
<p>I have more comments on this but they may not be relevant if you're using <a href="http://crates.io">crates.io</a> directly</p>



<a name="220262672"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220262672" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Maximilian Hristache <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220262672">(Dec 17 2020 at 16:06)</a>:</h4>
<p>please share <span class="user-mention" data-user-id="232545">@Joshua Nelson</span></p>



<a name="220263103"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220263103" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220263103">(Dec 17 2020 at 16:09)</a>:</h4>
<p>there are three cases I can think of when <a href="http://docs.rs">docs.rs</a> and <a href="http://crates.io">crates.io</a> might have different source code:</p>
<ol>
<li><a href="http://Crates.io">Crates.io</a> could delete a crate and <a href="http://docs.rs">docs.rs</a> would still have it cached; this has happened in the past. The bug here is that we should also delete the code, but it wouldn't be <em>different</em> per-se. This normally happens for legal reasons.</li>
<li><a href="http://Crates.io">Crates.io</a> could silently modify a crate on their end. To my knowledge this has never happened, I would consider it a breach of trust for the whole Rust org. I think this is the same fundamental tradeoff of trusting a 3rd-party package registry.</li>
<li><a href="http://Docs.rs">Docs.rs</a> could silently modify a crate. To my knowledge this has never happened;  I can't personally guarantee it because I haven't been on the team for its whole existence but I would be shocked to find out it was true. I would also consider this a breach of trust.</li>
</ol>



<a name="220263230"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220263230" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220263230">(Dec 17 2020 at 16:10)</a>:</h4>
<p>I think 3 is <em>mostly</em> the same trust tradeoff as 2, I think I'm the only person with access to <a href="http://docs.rs">docs.rs</a> but not <a href="http://crates.io">crates.io</a></p>



<a name="220263358"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220263358" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220263358">(Dec 17 2020 at 16:11)</a>:</h4>
<p>If 2 happened anyone with a lockfile would  have there build brake as the hash will change. Cargo gets very unhappy when hashes don't match the lockfile.</p>



<a name="220263382"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220263382" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220263382">(Dec 17 2020 at 16:11)</a>:</h4>
<p>oh perfect :) then 2 is enforced by cargo even</p>



<a name="220263498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220263498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220263498">(Dec 17 2020 at 16:12)</a>:</h4>
<p>(and you can be sure because cargo's source code is public)</p>



<a name="220264076"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220264076" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220264076">(Dec 17 2020 at 16:14)</a>:</h4>
<p>that said if you want code you can actually read and browse <a href="http://docs.rs">docs.rs</a> is probably the best choice, if you just want to compare checksums use <a href="http://crates.io">crates.io</a></p>



<a name="220264095"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220264095" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220264095">(Dec 17 2020 at 16:14)</a>:</h4>
<p>Edit: the index has a <code>cksum</code> in it. So Cargo will get mad if the contents don't match the index. even without the lockfile.</p>



<a name="220280322"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220280322" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Poliorcetics <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220280322">(Dec 17 2020 at 18:10)</a>:</h4>
<p>Looks like some people looked at past security issues and solved them (at least partially) <span aria-label="smile" class="emoji emoji-1f642" role="img" title="smile">:smile:</span></p>



<a name="220280358"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/crate_source_code/near/220280358" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Poliorcetics <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/crate_source_code.html#220280358">(Dec 17 2020 at 18:10)</a>:</h4>
<p>(Past security issues in other package managers)</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>